새로운 미용실을 가다.

If you want to open 'This PC\All Control Panel Items\Programs and Features'
First you need to convert each items to GUID

• This PC -> 20d04fe0-3aea-1069-a2d8-08002b30309d
• All Control Panel Items -> 21ec2020-3aea-1069-a2dd-08002b30309d
• Programs and Features -> 7b81be6a-ce2b-4676-a29e-eb907a5126c5

Then launch exporer.exe with /separate paramter

For example:

C:\Windows\explorer.exe /separate, ::{20d04fe0-3aea-1069-a2d8-08002b30309d}\::{21ec2020-3aea-1069-a2dd-08002b30309d}\::{7b81be6a-ce2b-4676-a29e-eb907a5126c5}

Then the above process will be terminated and the below process shows up with ' Programs and Features'

C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

If you want to launch explorer.exe as your descendant process, there is a way

1. Run: C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
   • This process is your descendant process and it is invisible.
2. Run: C:\Windows\explorer.exe /separate, ::{20d04fe0-3aea-1069-a2d8-08002b30309d}\::{21ec2020-3aea-1069-a2dd-08002b30309d}\::{7b81be6a-ce2b-4676-a29e-eb907a5126c5}
   • This process will be terminated and 'Programs and Features' will be showed in the previous explorer.exe.
   • But if there is one more explorer.exe /factory, there is no gurantee which one shows 'Programs and Features'.

It is almost impossible to prevent administrators from stopping services.
But there are some ways to make it difficult for them.

1. Ignoring the stop notification

SetServiceStatus

If you call this function without 'SERVICE_ACCEPT_STOP' in dwControlsAccepted member in SERVICE_STAUS structure, the service ignores the stop notification.

1. Chaning the access control on the service

// Get an acl of the service

  ATL::CDacl dacl;
  bool result = ATL::AtlGetDacl(L"serviceName", SE_SERVICE, &dacl);


// Traverse all access masks

  for (UINT index = 0; index < count; ++index) {
    CSid aceSid;
    ACCESS_MASK mask = 0;
    BYTE type = 0;
    BYTE flags = 0;
    GUID objectType;
    GUID inheritedObjectType;
    dacl.GetAclEntry(index, &aceSid, &mask, &type, &flags, &objectType, &inheritedObjectType);

}

// Change & Set acess mask

// Remove old ace
dacl.RemoveAce(speciifcIndex);
// Remove permissions(SERVICE_CHANGE_CONFIG & SERVICE_STOP)
specificMask &= ~SERVICE_CHANGE_CONFIG; 
specificMask &= ~SERVICE_STOP;
// Add new ace
 result = dacl.AddAllowedAce(specificSid, specificMask, specificFlags);

NtCreateToken

Return Codes

• STATUS_SUCCESS - Indicates the operation was successful.
• STATUS_INVALID_OWNER - Indicates the ID provided to be assigned
          as the default owner of the token does not have an attribute
          indicating it may be assigned as an owner.
• STATUS_INVALID_PRIMARY_GROUP - Indicates the group ID provided
          via the PrimaryGroup parameter was not among those assigned
          to the token in the Groups parameter.
• STATUS_BAD_IMPERSONATION_LEVEL - Indicates no impersonation level
          was provided when attempting to create a token of type
          TokenImpersonation.

createprocess-windows

How can I get a signature for a Windows system that will remain unchanged even if the user reinstalls Windows?

// appwiz.cpl is COM server related to (UnInstall or Change a program)
#include <shappmgr.h>
#include <iostream>
#import <appwiz.cpl>

// If this import gets into trobule, you could solve the problem by using #import directives
/*
#import <appwiz.cpl> rename("tag_inner_PROPVARIANT", "_tag_inner_PROPVARIANT") \
inject_statement("typedef struct _LARGE_INTEGER2 { LONGLONG QuadPart; } LARGE_INTEGER2;") \
inject_statement("typedef struct _ULARGE_INTEGER2 { ULONGLONG QuadPart;} ULARGE_INTEGER2;") \
rename("_LARGE_INTEGER", " _LARGE_INTEGER2") \
rename("_ULARGE_INTEGER", "_ULARGE_INTEGER2")
*/

int main()
{

	::CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);

	class __declspec(uuid("{352EC2B7-8B9A-11D1-B8AE-006008059382}")) AppWiz;
	static const CLSID CLSID_AppWiz = __uuidof(AppWiz);

	SHAPPMGRPLib::IShellAppManagerPtr spShellAppManaager;
	HRESULT hr = spShellAppManaager.CreateInstance(CLSID_AppWiz, NULL, CLSCTX_INPROC_SERVER);

	SHAPPMGRPLib::IEnumInstalledAppsPtr spEnumInstalledApps;
	hr = spShellAppManaager->EnumInstalledApps(&spEnumInstalledApps);

	SHAPPMGRPLib::IInstalledAppPtr spInstalledApp;
	SHAPPMGRPLib::IInstalledApp* pInstalledApp;
	
	while (S_OK == (hr = spEnumInstalledApps->Next(&pInstalledApp))) {

		spInstalledApp = pInstalledApp;


		SHAPPMGRPLib::_AppInfoData data = { 0 };
		data.cbSize = sizeof(SHAPPMGRPLib::_AppInfoData);
		data.dwMask = AIM_DISPLAYNAME | AIM_VERSION | AIM_PUBLISHER | AIM_INSTALLDATE;

		hr = spInstalledApp->GetAppInfo(&data);

		// You have to check the validation of the data before using it.

		std::wcout << "Name: " << data.pszDisplayName << " ver: " << data.pszVersion
			<< " publisher: " << data.pszPublisher << " installedOn: " << data.pszInstallDate << std::endl;

	}

	::CoUninitialize();

	return 0;
}

LLDB Debugging Guide

Foreground activation permission is like love: You can’t steal it, it has to be given to you

Windows 8 App Container Security Notes - Part 1

User-defined literals — Part I

User-defined literals — Part II

User-defined literals — Part III

Remote Debugging

• Remote Side(e.g. 192.168.129.2)
  • Install Command Line Tools for Xcode
  • Run debugserver(/Library/Developer/CommandLineTools/Library/PrivateFrameworks/LLDB.framework/Versions/A/Resources ver 12.5)

  • Usage: debugserver host:port [program-name program-arg1 program-arg2 ...] debugserver /path/file [program-name program-arg1 program-arg2 ...] debugserver host:port --attach=<pid> debugserver /path/file --attach=<pid> debugserver host:port --attach=<process_name> debugserver /path/file --attach=<process_name>

    host: Local Side e.g.: debugserver 192.168.129.1:1600 --attach=1234 Attaching to process 2051... Listening to port 1600 for a connection from 192.168.129.1...

• Local Side(e.g. 192.168.129.1)
  • Run lldb
  • Then enter this command: process connect connect://192.168.129.2:1600
• Set the entitlement
  • The debugee should have 'com.apple.security.get-task-allow' entitlement in order to be attached by debuggers.
  • In debug mode it is set, but in release mode it is stripped.
  • Build Settings > Signing > Code Signing inject Base Entitlements > 'Yes'